What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted in 2009. Together, the two laws specify requirements for the privacy and security of protected health information (PHI) and apply to all healthcare providers, payers, their business associates, and subcontractors. The laws also establish strict civil and criminal penalties for breaches of PHI and additional steps healthcare organizations must take to respond to breaches.
HIPAA-HITECH apply to “covered entities”, which include doctors, hospitals, health insurance companies and other healthcare providers.
HIPAA’s Omnibus Rule, which went into effect in 2013, extends the law to include all business associates of covered entities. These include health information organizations, e-prescribing gateways, and any other entity that provides data transmission services to a covered entity or provides personal health records on behalf of a covered entity and who requires access on a routine basis to PHI.
In addition, all subcontractors of the business associates and covered entities must comply with HIPAA-HITECH if they access PHI of the covered entity. Finally, the Omnibus Rule requires any individual who creates, receives, maintains, or transmits PHI on behalf of a covered entity to comply with HIPAA-HITECH.
The U.S. Department of Health and Human Services (HHS), the entity responsible for HIPAA, does not require or formally recognize any HIPAA certification programs for CSPs. It is necessary to have a CSP that has controls and processes in place to comply with the HIPAA requirements for which it is responsible
LivePerson enters into business associate agreements (BAAs) with HIPAA-covered entities, certifying that LivePerson protects personal health information (PHI) in accordance with HIPAA guidelines.
HIPAA requirements are as follows and each are met by LivePerson:
- Unique Identifier required to determine user identity in electronic records
- Emergency procedure required for obtaining electronic PHI (ePHI) during an emergency
- Automatic Logoff that terminates an electronic session after a time of inactivity
- Encryption and Decryption of ePHI
Audit control: Implement hardware, software, and/or procedural mechanisms that rises is growing just as rapidly.
Integrity: Implement mechanisms to authenticate validity of ePHI
Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
Transmission security: Ensure that electronically transmitted ePHI is encrypted and is not improperly modified without detection.
Facility access control
- Establish procedures to allow facility access in support of restoration of lost data
- Establish policies to safeguard the facility from unauthorized physical access, altering, and theft
- Validate a person’s access to facilities based on their role or function
- Document modifications to the physical portions of a facility related
Workspace use: Control functions and physical attributes of workstations that access ePHI
Workstation security: Restrict access to workstations that access ePHI to authorized users only
Device and media controls:
- Implement secure policies for disposal of devices/media storing ePHI
- Implement policies for secure removal of ePHI before device/media can be re-used
- Keep a record of movement of devices/media containing ePHI and any person responsible for it
- Backup ePHI, when needed, before movement of equipment
- Security management process: Perform risk analysis to identify where PHI is used to know all the ways HIPAA can be violated so to decrease these risks while instituting sanctions for employees who fail to comply
- Assign Security Responsibility: Designate HIPAA Security officers
- Workforce security: Supervise employees who work with PHI
- Information Access Management: Ensure PHI isn’t accessed by parent, partner, or subcontracting organizations not authorized
- Security Awareness & Training: Guard and report malicious software. Monitor logins and provide regular training to employees with access to PHI
- Security Incident Procedures: Identify, document, and respond to security incidents
- Contingency Plan: Make backups of all ePHI, and implement process for continued protection of ePHI during emergencies
- Evaluation: Periodic evaluation of HIPAA to ensure continued compliance
- BAA: Sign agreements with partners ensuring they follow HIPAA
HIPAA privacy rule
- Disallow impermissible use and disclosure of PHI
- Notify covered entity of breaches
- Provide covered entity (or individual) access to PHI
- Disclose PHI to Secretary of Health and Human Services (HSS), when asked
- Document and account for all disclosures of PHI
HIPAA breach notification
- Notify patients when there is a breach of unsecured PHI
- Notify HHS if there is any breach of unsecured PHI
- Notify the media and public if the breach affects more than 500 patients
LivePerson would notify the brand its providing service to so that the brand can notify any affected patients. LivePerson would not normally have sufficient details about a patient in order to contact them directly. LiveEngage is not an EMR or CRM system.